GDPR Article 21 Right to Object: Direct Marketing Text

In one sentence. GDPR Article 21(2) grants an absolute right to object to processing for direct marketing purposes — including any associated profiling — with no balancing test and no exception: once exercised, the controller must stop, immediately. For non-marketing processing (Article 21(1)), the right is qualified and requires balancing. Official text: Regulation (EU) 2016/679, Article 21 on EUR-Lex.

The direct marketing carve-out in Article 21(2) is one of the GDPR’s strongest individual rights. Combined with the ePrivacy Directive (2002/58/EC) opt-in regime for electronic communications, it forms the legal backbone of email/SMS marketing compliance in the EU.

Key takeaways

• Article 21(2) right to object to direct marketing is absolute — no balancing.
• Right must be explicitly brought to the attention of the data subject (Article 21(4)).
• Includes profiling related to direct marketing.
• Must be exercisable by automated means (Recital 70).
• Article 21(1) for other processing: controller must demonstrate compelling legitimate grounds.
• Sanctions: Article 83(5)(b) — up to €20M or 4% of global turnover.

1. Article 21 official text

Article 21 — Right to object

1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

2. The direct marketing absolute right (Article 21(2))

Unlike Article 21(1), the direct marketing right has no balancing test:

• No need to prove “particular situation”
• No “compelling legitimate grounds” defence available to the controller
• Effect: immediate cessation of marketing processing

This is GDPR’s strongest opt-out.

3. Scope: what counts as direct marketing?

EDPB and ICO consistently confirm direct marketing includes:

• Email, SMS, postal mail, push notifications, in-app messages
• Telephone calls (subject to ePrivacy)
• Targeted advertising tied to identifiable individuals
• Behavioural advertising with profiling
• “Newsletter” if commercially-oriented

Pure service messages (password reset, order confirmation) are not marketing.

4. Profiling for marketing

Article 21(2) explicitly extends to “profiling to the extent that it is related to such direct marketing”. This includes:

• Segment-based ad targeting
• Lookalike audiences derived from a contactable individual
• Marketing scoring (lead scoring tied to identified persons)

5. Article 21(1) — non-marketing objection

For Article 6(1)(e) (public task) or 6(1)(f) (legitimate interest):

• Data subject must invoke “grounds relating to his or her particular situation”
• Controller can continue only by demonstrating compelling legitimate grounds overriding the data subject’s interests, or for legal claims
• Burden of proof shifts to the controller

6. Article 21(4) — visibility obligation

The right must be brought to attention at the time of first communication, clearly and separately from other information. Privacy notices that bury the objection right are non-compliant.

Practical: a one-click unsubscribe in every marketing email, plus dedicated privacy notice section.

7. Article 21(5) — automated exercise

In the context of information society services, the right must be exercisable by automated means — APIs, headers, browser signals. Recital 70 references “technical specifications”. Global Privacy Control (GPC) is one such mechanism, gaining recognition in several DPA decisions.

8. Interplay with ePrivacy

The ePrivacy Directive (2002/58/EC) requires prior opt-in consent for most marketing emails (Article 13). Article 21 GDPR adds the right to object after consent was given (i.e. withdraw + object). The “soft opt-in” exception for existing customers (Article 13(2) ePrivacy) does not override Article 21.

9. Sanctions and enforcement

Article 83(5)(b): up to €20M or 4% of global turnover.

Notable cases:

• Vodafone Italy (Garante 2020): €12.25M including marketing objection failures
• Eni Gas e Luce (Garante 2019): €11.5M
• Carrefour France (CNIL 2020): €2.25M, marketing objection partly
• Free Mobile (CNIL 2022): €300,000 for ignoring unsubscribes
• TIM (Garante 2020): €27.8M, multi-channel marketing objection failures

10. Implementation checklist

1. One-click unsubscribe in every marketing email (Article 13 ePrivacy + Article 21 GDPR)
2. Suppression list synchronised in <24h across channels
3. Privacy notice with explicit, separate Article 21 mention
4. API endpoint for automated objection (Article 21(5))
5. Audit trail of objection requests
6. Train marketing ops on absolute nature of Article 21(2)
7. Coordinate with consent management platform

11. Tooling

Legiscope provides an Article 21 objection register, suppression list propagation across CRM/ESP/ad platforms, automated SLA tracking, and audit trail. Integrates with DSAR and consent management.

FAQ

What is the text of GDPR Article 21?

The official text grants the right to object to processing based on public interest or legitimate interest (Article 21(1)), and an absolute right to object to direct marketing including profiling (Article 21(2)). Full text on EUR-Lex.

Is the right to object to direct marketing absolute?

Yes. Article 21(2) provides no balancing test and no exception. Once exercised, the controller must stop processing for marketing purposes immediately.

Does Article 21 cover profiling?

Yes, expressly: “profiling to the extent that it is related to such direct marketing”. Segment targeting, lookalikes, and scoring are all in scope.

How quickly must marketing stop after an objection?

GDPR does not specify a duration but EDPB and DPAs require effective and prompt cessation — in practice within 24-72 hours given automated suppression list capabilities.

What’s the sanction for ignoring an Article 21 objection?

Up to €20M or 4% of global turnover (Article 83(5)(b)). TIM (€27.8M, Garante 2020) and Vodafone Italy (€12.25M) are the leading cases.